PaloAlto EDL Hosting Service

If you want to configure rules for Saas services on the PaloAlto Firewall, you can do this using the App ID for the particular service, or you can use the IP addresses, Domains or URLs of the service in the policy.

However, since Saas services typically do not use only one IP address, domain or URL, and since these can change dynamically, it requires a dynamic list that is constantly updated automatically.

PaloAlto offers this service as «EDL hosting service». External Dynamic Lists (EDL) are dynamic lists that can contain a list of IP addresses, domains or URLs. These lists are periodically queried by the firewall and updated accordingly. These EDL lists can then be used in various policies. Due to the automatic update of the lists, they are always up to date. There is also no need to commit the configuration if the list changes.

«PaloAlto EDL Hosting Service» weiterlesen

Windows update breaks SSO event log readers (FSSO, PAN UIA, WG ELM)

Microsoft has released KB5003646 on the 6th of June 2021. Part of this update is a security hardening measurement to align with recommendations as a conclusion out of CVE-2021-31958.

As a known issue of this KB5003646, microsoft has noted in the release notes: «After installing this or later updates, apps accessing event logs on remote devices might be unable to connect.»

This is exactly what is happening on Fortinet FSSO (FSSO with FortiGate, as well as FSSO over the FortiAuthenticator) and Palo Alto Networks User-ID Agent. They are not working anymore after the installation of Update KB5003646.

«Windows update breaks SSO event log readers (FSSO, PAN UIA, WG ELM)» weiterlesen

Exchange Pwn2Own Vulnerability April 2021 (Yes, a new one – it’s not Hafnium anymore!)

Let’s mention the important things first: Please patch you vulnerable Exchange 2013, 2016 and 2019 immediately! The page msxfaq has published an infosite to this vulnerability including the instructions how to fix your Exchange.

Some security researchers have demonstrated three high risk vulnerabilities for exchange server systems. Microsoft has published information about the vulnerability today and even has a patch for the problem already in place.

«Exchange Pwn2Own Vulnerability April 2021 (Yes, a new one – it’s not Hafnium anymore!)» weiterlesen

Exchange Hafnium Vulnerability March 2021

Let’s mention the important things first: Please patch you vulnerable Exchange 2013, 2016 and 2019 immediately! The page msxfaq has published an infosite to this vulnerability including the instructions how to fix your Exchange.

Even though we, as Boll Engineering AG, are not associated in any way with the affected product, a lot of our customer reported, that they have vulnerable systems in place and may be affected by this bug. We have been asked if IPS signatures and WAF patches are already implemented. Therefore we decided to post this blog to raise the awareness of this vulnerability once more, even after the broad press has already published a lot of releases regarding this matter.

This blog post regards the following CVE reports:

«Exchange Hafnium Vulnerability March 2021» weiterlesen

Palo Alto Firewall Feature: Block Tor Exit nodes with an External Dynamic List (EDL)

With the possibility to include external lists from third parties via the feature «External Dynamic List EDL», this opens up many possibilities to restrict your own security policies even better and to prevent access to the TOR network.

In the following tutorial I will show you how to configure the list of TOR exit nodes, which can be found at https://check.torproject.org/torbulkexitlist as a list of IP addresses.

«Palo Alto Firewall Feature: Block Tor Exit nodes with an External Dynamic List (EDL)» weiterlesen

OpenSSL Heartbleed Bug Informationen

Hier finden Sie Informationen zu der OpenSSL Schwachstelle und Herstellerinformationen.

«Offizielle» Webseiten
http://heartbleed.com/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

Testseiten
http://filippo.io/Heartbleed/
https://www.ssllabs.com

Betroffene OpenSSL Versionen
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable

«OpenSSL Heartbleed Bug Informationen» weiterlesen

Two new «big ladies»

Und schon wieder gibt es Zuwachs in unserem Eval-Stock. Neben der FG-3140B gesellen sich nun auch zwei grosse PaloAlto Network PA-5050 für Evaluationszwecke mit Gigabit-Anforderungen.  Die Geräte sind speziell entwickelt worden, um Netzwerke von Data Center, Large Enterprises oder Service Provider abzusichern, ohne dabei Einbussen im Datendurchsatz in Kauf nehmen zu müssen.

Die Next Generation Firewalls von Palo Alto Networks sind darauf spezialisiert neben den klassischen Firewall-Funktionen auch Applikationen und User zu erkennen. D.h. Firewall-Regeln werden nicht nur auf Basis von IP-Adressen und Ports sondern explizit auf Basis von Usern und Applikationen vorgenommen. Darüber hinaus bietet das GUI der Firewall eine exzellente Möglichkeit, das aktuelle Applikations-Geschehen auf dem Netzwerk darzustellen und die daraus resultierende Bedrohungslage zu errechnen.

«Two new «big ladies»» weiterlesen